This is an automated email from the ASF dual-hosted git repository. brondsem pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/allura.git
commit fc9d5280d348ed9388009f4613ffedae3dbddc0a Author: Dave Brondsema <[email protected]> AuthorDate: Thu Jan 2 15:44:40 2025 -0500 enforce new passwords (not current one again) on pwd reset links --- Allura/allura/controllers/auth.py | 9 +++++++-- Allura/allura/tests/functional/test_auth.py | 11 +++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py index 0b6a7e1d2..8857bdaa0 100644 --- a/Allura/allura/controllers/auth.py +++ b/Allura/allura/controllers/auth.py @@ -167,7 +167,7 @@ class AuthController(BaseController): c.form = F.registration_form return dict() - def _validate_hash(self, hash): + def _validate_hash(self, hash) -> M.User: login_url = config.get('auth.login_url', '/auth/') if not hash: redirect(login_url) @@ -206,7 +206,12 @@ class AuthController(BaseController): if not provider.forgotten_password_process: raise wexc.HTTPNotFound() user = self._validate_hash(hash) - enforce_hibp_password_check(provider, pw, f'/auth/forgotten_password/{hash}') + restart_url = f'/auth/forgotten_password/{hash}' + enforce_hibp_password_check(provider, pw, restart_url) + + if provider._validate_password(user, pw): + flash('Your old and new password should not be the same', 'error') + redirect(restart_url) user.set_password(pw) user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='') # Clear password reset token diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 7309495c9..3ca7741d0 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -1743,6 +1743,17 @@ To update your password on {}, please visit the following URL: assert 'New Password:' in r assert 'New Password (again):' in r form = r.forms[0] + form['pw'] = form['pw2'] = 'foo' # old password + with h.push_config(config, **{'auth.min_password_len': 3}): + r = form.submit() + print(r) + if r.status == 200: + assert [] == r.html.findAll(attrs={'class': 'fielderror'}) + assert 'Your old and new password should not be the same' in self.webflash(r) + r = r.follow() + + # fill it out correctly + form = r.forms[0] form['pw'] = form['pw2'] = new_password = '154321' with td.audits(r'Password changed \(through recovery process\)', user=True): # escape parentheses, so they would not be treated as regex group
